An Oregon man has been arrested and charged amid allegations they coordinated the Rapper Bot botnet, believed to have caused huge outages on X.
Ethan Foltz, 22, has been charged in the District of Alaska with developing and administering the DDoS-for-hire botnet, which has conducted a series of large-scale cyber attacks since at least 2021.
Campaigns in August 2022 and December 2022 focused on brute-forcing devices with weak or default SSH and Telnet credentials to expand the botnet’s footprint for launching DDoS attacks.
The following year, analysis from Fortinet shows it started branching out into cryptojacking, specifically for Intel x64 machines.
At first, the attackers deployed and executed a separate Monero cryptominer alongside the usual Rapper Bot binary, later combining both functionalities into a single bot.
Also known as Eleven Eleven Botnet and CowBot, Rapper Bot mainly targeted devices like digital video recorders or Wi-Fi routers at scale, exploiting them for DDoS attacks in more than 80 countries around the world.
Victims included a US Department of Defense network and several US tech companies - most notably the X social media platform, which was hit in March this year.
Rapper Bot has been on a rampage
According to authorities, Rapper Bot has been responsible for more than 370,000 attacks since April, targeting 18,000 unique victims.
It used between 65,000 and 95,000 infected victim devices to regularly conduct DDoS attacks that amounted to between two to three terabits per second, with the largest attack believed to have topped six terabits per second.
Even the smallest of these could cost the victim up to $10,000, according to the Department of Justice (DOJ).
Foltz allegedly provided paying customers with access to what the DOJ called “one of the most sophisticated and powerful DDoS-for-hire botnets currently in existence”.
Some Rapper Bot customers, including Chinese gambling operations, extorted victims globally.
Earlier this month, law enforcement officials carried out a search warrant on Foltz’ residence in Oregon and shut down Rapper Bot’s attack capabilities, gaining administrative control. There don't appear to have been any attacks since.
“Rapper Bot was one of the most powerful DDoS botnets to ever exist, but the outstanding investigatory work by DCIS cyber agents and support of my office and industry partners has put an end to Foltz’s time as administrator and effectively disrupted the activities of this transnational criminal group,” said US attorney Michael J. Heyman for the District of Alaska.
“Our office remains committed to disrupting and dismantling cyber criminals that threaten internet security and infrastructure in the District of Alaska and across the United States.”
Amazon Web Services (AWS) contributed to the takedown by identifying Rapper Bot’s command and control (C2) infrastructure, and reverse engineering the IoT malware to map its operations and activities.
Foltz is charged with one count of aiding and abetting computer intrusions, for which he could face up to ten years in prison.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Europol just took down 27 DDoS-for-hire sites
- Think DDoS attacks are bad now? Wait until hackers start using AI assistants to coordinate attacks
- NCA takes down world’s most prolific DDoS-for-hire website
-
Microsoft’s botched August update batch first wiped SSDs, now it’s breaking PC resets and recoveries on WindowsNews An out-of-band patch has been issued by Microsoft to fix a flaw introduced by its August update
-
SonicWall appoints Michael Crean to lead new Managed Security Services DivisionNews The industry and channel veteran will spearhead the security vendor’s ongoing expansion into managed security services
-
UK telecoms firm takes systems offline after cyber attackNews The Warlock ransomware group said it was selling a million stolen documents
-
Everything we know about the Workday data breach so farNews HR technology firm Workday has confirmed a data breach after threat actors gained access to a third-party CRM platform.
-
Malicious URLs overtake email attachments as the biggest malware threatNews With malware threats surging, research from Proofpoint highlights the increasing use of off-the-shelf 'phish kits' like CoGUI and Darcula
-
Using DeepSeek at work is like ‘printing out and handing over your confidential information’News Thinking of using DeepSeek at work? Think again. Cybersecurity experts have warned you're putting your enterprise at huge risk.
-
Warning issued as new Pakistan-based malware group hits millions globallyNews Tempting people in with offers of pirated software, the network installs commodity infostealers, according to CloudSEK
-
LevelBlue and Akamai are teaming up to launch a managed web application and API protection serviceNews The new Managed WAAP offering aims to help organizations secure their rapidly expanding web app and API ecosystems
-
Everything we know so far about the Canadian House of Commons data breachNews Speculation is mounting over the source of the breach
-
Identity security is more important than ever – here’s whyNews 78% of enterprises told Okta that controlling access and permissions for non-human identities is now their main identity security concern.
